Santa delivered presents months ago to Monro Muffler Brake and Service based in Rochester, New York. The automobile service company received an early gift in the form of a System i software package that helps it manage credit card data protected by increasingly tighter business regulations.

The more than 700 Monro retail shops accept credit cards from customers as payment for automobile repair and maintenance services. Those transactions are stored on a corporate-maintained i810 as part of a centralized settlement system. The data is kept long enough to make sure there aren't any problems with the transactions.

Recently, regulators tightened the requirements of the Payment Card Industry's (PCI) Data Security Standard, which governs credit card transactions, so that the information must be encrypted at the field level in a company's database.

For consumers, the regulations translate to greater security, making it more difficult for would-be identity thieves to get the data. For Burton August, Jr., director of system IT development at Monro, the tighter requirements mean that more complex solutions are necessary to manage the company's data. The new restrictions lessen Monro's ability to run a query on its customer database and extract information. "Once I start to encrypt data, it becomes difficult to search on that data," August says.

Monro has workarounds, August adds, like sifting through data such as customer names, which are free of some restrictions. But such a solution may not always be possible, and security measures implemented at a later date may break what works now.

Over the summer, though, Patrick Townsend & Associates and New Generation Software (NGS) combined efforts to help solve problems like Monro's, and August's development work has benefited, too. Townsend and Associates brought its cryptography expertise together with the query and business intelligence software of NGS to create a way to securely decrypt information such as a credit card number on the fly in a query. The package also offers reporting capabilities that make it possible to not only know who ran what queries but also which fields were decrypted — information that can prove helpful in tracking down data misuse.

For Patrick Townsend, president of the company that bears his name, the alliance was created to alleviate the pain many of his customers faced. Townsend's firm develops an Advanced Encryption Standard (AES) encryption solution which ensures that data at rest in System i implementations is secure. Customers, though, kept telling him that this only solved part of their problem. They were also running ad-hoc reports and using business intelligence tools, many of which the encryption broke.

Townsend began working with NGS and found that the company's product, NGS-IQ, had an architecture that intercepted queries before they were displayed. These exit points enabled the running of a decryption routine for data extraction, with controls over who had access to the query and the data that would satisfy compliance requirements. The combination of software from the two firms thus enabled the data to be secure and still accessible via a query. "You can have your cake and eat it, too," Townsend says.

He notes that the solution isn't without cost. Decryption adds some overhead to the process of running a query and getting an answer, which slows the response somewhat unless processing power is added. The extent of the hit depends on the size of the database and other factors, one of which is the efficiency of decryption. Townsend points out that his is a fourth generation cryptographic library and claims it's the most optimized available for the System i. However, even with that he puts the cost of cryptography in the 10 to 20 percent range.

That burden can be cut significantly by employing such techniques as running business intelligence tasks in a separate partition with processors assigned to it. Another solution might be to go with a cryptographic appliance, which would add some communication overhead but eliminate the decryption load.

Bill Langston, director of marketing at NGS, says his company is happy with the performance of the combined solution, with tests showing no obvious performance degradation. Feedback from customers has not been extensive, in part because the product is new and in part because there has not been a big commitment to secure queries just yet. Monro, for example, is currently using the solution only for development work at corporate headquarters, but it could be expanded into a production environment in the future.

Langston expects to see the situation change over the next few years as the early adoption phase transitions to something more mature. When that happens, he notes, there will be one significant advantage with the combination approach. The entire process is transparent to the end user, which increases the chance of successful implementation and use in real-world situations. "If it's simple, then people will do it," Langston says. "If it isn't, then they'll find ways around it."